Re: unofficial package repository and the bugs system
Jim Pick wrote:
>
> Everybody has my permission to flame anybody who sends a bug report
> to the Debian bug system for a non-Debian package.
>
Not mine.
Users are used to trust in Debian and in its .deb
I suppose that some of them download .debs from several places (as I do)
and install them using dpkg, without always using dselect and a
debian.org site or one official mirror (those without the debian.org
domain).
You have to think that Debian has (and will not have) _any_ control over
an "unofficial" repository, where someone could even upload packages
with _exactly_ the same name and version of "official" packages that
could be found on our site.
How do we deal with this?
Instead of discussing if we should or not _allow_ such repositories, we
should create a system that would permit users to notice when they are
installing "unofficial" packages _before_ they do that.
Relying on the "domain" where they grab the package is not enough. Do we
make any check that all packages are the same (and that there are no
more) on each "official" mirror?
What I would like to see is a version of dpkg (not dselect or deity)
that checks a "signature" (or a sort of) on each package and inform
users of the "unofficiality" of each package, asking permission to
install as root. Such dpkg should not only accept Debian's signature,
but also signatures from some third party (for example a commercial
distribution derived from Debian and that has a commitment with us), or
packages built directly by the user itself.
Fabrizio
--
| fpolacco@icenet.fi fpolacco@debian.org fpolacco@pluto.linux.it
| Pluto Leader - Debian Developer & Happy Debian 1.3.1 User - vi-holic
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . Trouble?
e-mail to templin@bucknell.edu .
Reply to: